| Summary: | ruby new security issue CVE-2013-4073 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/556771/ | ||
| Whiteboard: | MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | ruby-1.9.3.p429-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-06-27 19:39:24 CEST
David Walser
2013-06-27 19:39:34 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO 1.9.3.p448 is in Mageia 3 updates_testing. Unfortunately the build system won't let that one be pushed to Cauldron. Cauldron SVN has 2.0.0.p247, which is only built in updates_testing there and apparently isn't ready to go into release yet. Mageia 2 still needs fixed too. Currently built: ruby-1.9.3.p448-1.mga3 libruby1.9-1.9.3.p448-1.mga3 ruby-doc-1.9.3.p448-1.mga3 ruby-devel-1.9.3.p448-1.mga3 ruby-tk-1.9.3.p448-1.mga3 ruby-irb-1.9.3.p448-1.mga3 from ruby-1.9.3.p448-1.mga3.src.rpm Funda also rebuilt a couple of packages because of the ruby update: ruby-linecache19-0.5.13-5.1.mga3 ruby-linecache19-doc-0.5.13-5.1.mga3 ruby-ruby-debug-base19-0.11.26-5.1.mga3 ruby-ruby-debug-base19-doc-0.11.26-5.1.mga3 from SRPMS: ruby-linecache19-0.5.13-5.1.mga3.src.rpm ruby-ruby-debug-base19-0.11.26-5.1.mga3.src.rpm
David Walser
2013-06-28 18:45:07 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/556771/ Fixed in Cauldron in ruby-1.9.3.p448-1.mga4. Version:
Cauldron =>
3 Ubuntu has issued an advisory for this on July 9: http://www.ubuntu.com/usn/usn-1902-1/ We still need an update candidate for Mageia 2 to be built. Patched package uploaded for Mageia 2. Advisory: ======================== Updated ruby packages fix security vulnerability: A vulnerability in RubyĆ¢s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority (CVE-2013-4073). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4073 http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ http://www.ubuntu.com/usn/usn-1902-1/ ======================== Updated packages in core/updates_testing: ======================== ruby-1.8.7.p358-1.3.mga2 ruby-doc-1.8.7.p358-1.3.mga2 ruby-devel-1.8.7.p358-1.3.mga2 ruby-tk-1.8.7.p358-1.3.mga2 ruby-1.9.3.p448-1.mga3 libruby1.9-1.9.3.p448-1.mga3 ruby-doc-1.9.3.p448-1.mga3 ruby-devel-1.9.3.p448-1.mga3 ruby-tk-1.9.3.p448-1.mga3 ruby-irb-1.9.3.p448-1.mga3 ruby-linecache19-0.5.13-5.1.mga3 ruby-linecache19-doc-0.5.13-5.1.mga3 ruby-ruby-debug-base19-0.11.26-5.1.mga3 ruby-ruby-debug-base19-doc-0.11.26-5.1.mga3 from SRPMS: ruby-1.8.7.p358-1.3.mga2.src.rpm ruby-1.9.3.p448-1.mga3.src.rpm ruby-linecache19-0.5.13-5.1.mga3.src.rpm ruby-ruby-debug-base19-0.11.26-5.1.mga3.src.rpm CC:
(none) =>
fundawang Note to QA: the patches to fix this also include patches to the build-time test suite to verify the fix. They are run at build time and did pass. For the Mageia 2 package, verifying that it installs cleanly should be sufficient. For Mageia 3, since we updated rather than patching, a little more testing to make sure ruby stuff is still operating normally would be good. No PoC. Just testing the updates.
Testing complete mga3 64
Tested with a little ruby script..
-------------
#!/usr/bin/ruby
class Total
def initialize(initial_amount)
@total=initial_amount
end
def increaseBy(increase)
@total += increase
end
def multiplyBy(increase)
@total *= increase
end
def setTo(amount)
@total = amount
end
def getTotal() return @total; end
def hasTotal() return @total!=nil; end
end
total = Total.new(0)
for ss in 1..4
total.increaseBy(ss)
puts total.getTotal if total.hasTotal
end
print "Final total: ", total.getTotal, "\n" if total.hasTotal
-------------
It gives an output like this..
$ ruby rubytest.rb
1
3
6
10
Final total: 10
Also ruby-tk and ruby-irb from here: http://chmeee.dyndns.org/learntk/HelloWorld
$ irb
irb(main):001:0> require 'tk'
=> true
irb(main):002:0> root = TkRoot.new() { title "Hello, world!" }
=> #<Tk::Root:0x000000016df910 @path=".">
irb(main):003:0> Tk.mainloop()
=> nil
irb(main):004:0> quit()
Opens a window titled 'Hello, World!'.
Some docs on ruby-linecache19 here:
http://rubydoc.info/gems/linecache19/0.5.12/frames
$ irb
irb(main):001:0> require 'linecache19'
=> true
irb(main):002:0> lines = LineCache::getlines('~/testcases/ruby/rubytest.rb')
=> ["#!/usr/bin/ruby\n", "class Total\n", "\tdef initialize(initial_amount)\n", "\t\t@total=initial_amount\n", "\tend\n", "\n", "\tdef increaseBy(increase)\n", "\t\t@total += increase\n", "\tend\n", "\n", "\tdef multiplyBy(increase)\n", "\t\t@total *= increase\n", "\tend\n", "\n", "\tdef setTo(amount)\n", "\t\t@total = amount\n", "\tend\n", "\n", "\tdef getTotal() return @total; end\n", "\tdef hasTotal() return @total!=nil; end\n", "end\n", "\n", "total = Total.new(0)\n", "for ss in 1..4\n", "\ttotal.increaseBy(ss)\t\n", "\tputs total.getTotal if total.hasTotal\n", "end\n", "print \"Final total: \", total.getTotal, \"\\n\" if total.hasTotal\n"]
irb(main):003:0> LineCache::clear_file_cache
=> {}
irb(main):004:0> quit
Some info on ruby-debug-base19 here:
http://rubydoc.info/gems/ruby-debug-base19/0.11.25/frames
redebug is provided in ruby-ruby-debug19
# urpmi ruby-ruby-debug19
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release")
ruby-columnize 0.3.6 6.mga3 noarch
ruby-ruby-debug19 0.11.6 5.mga3 noarch
158KB of additional disk space will be used.
48KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y
$ rdebug rubytest.rb
/home/claire/testcases/ruby/rubytest.rb:2
class Total
(rdb:1) help
ruby-debug help v0.11
Type 'help <command-name>' for help on a specific command
Available commands:
backtrace delete enable help list ps save thread where
break disable eval info method putl set trace
catch display exit irb next quit show undisplay
condition down finish jump p reload source up
continue edit frame kill pp restart step var
(rdb:1) continue
1
3
6
10
Final total: 10Whiteboard:
MGA2TOO =>
MGA2TOO has_procedure mga3-64-ok Testing complete mga2 32 Tested using the same scripts for basic ruby and ruby-tk and pasted one into irb.
claire robinson
2013-07-22 09:38:28 CEST
Whiteboard:
MGA2TOO has_procedure mga3-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga3-64-ok Testing complete mga2 64 Whiteboard:
MGA2TOO has_procedure mga2-32-ok mga3-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok Testing complete mga3 32 Whiteboard:
MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok Validating. Advisory in comment 5 uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
claire robinson
2013-07-22 10:42:04 CEST
Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0229.html Status:
NEW =>
RESOLVED |